CN117150521A - Transparent encryption and decryption method and device for universal encryption card - Google Patents

Abstract

The application provides a transparent encryption and decryption method and a transparent encryption and decryption device for a universal encryption card. Meanwhile, IO operation on the confidential file in the target process is intercepted by the Api Hook technology, the framework of the encryption card plug-in unit is called, and the corresponding encryption card module is bound to encrypt and decrypt the confidential file according to the encryption card identifier stored in the ciphertext header of the confidential file, so that transparent encryption and decryption operation of the file is realized, an upper application program cannot perceive the existence of encryption, and the user identity is identified through a signature verification mechanism in the file, so that confidentiality and integrity of the file are ensured. Compared with a soft algorithm, the encryption method has higher security and higher encryption and decryption speed.

Description

Transparent encryption and decryption method and device for universal encryption card

Technical Field

The application relates to the technical field of transparent encryption and decryption of files, in particular to a transparent encryption and decryption method and device of a universal encryption card.

Background

In order to ensure the security of confidential electronic files in enterprises, trusted encryption technology and hardware security equipment are required to encrypt and decrypt the confidential files, such as encryption cards and transparent encryption and decryption technology. The technology can effectively protect sensitive data in enterprises, prevent security threats such as hacking, data leakage and the like, and protect business confidentiality and intellectual property of the enterprises. The transparent encryption and decryption technology of the file by using the encryption card can realize transparent encryption and decryption operation of the file, so that an upper application program cannot perceive the existence of encryption, and meanwhile, confidentiality and integrity of the file are ensured.

In practical application, proper encryption cards and cryptography algorithms are required to be selected according to specific scenes, and safety measures are taken to ensure safety and reliability. For example, security management and initialization are required for the encryption card, a proper key generation and management scheme is selected, and security measures such as physical isolation, anti-cracking technology and the like are adopted to ensure that the key in the encryption card cannot be illegally acquired or stolen. Meanwhile, the integrity check and the digital signature are required to be carried out on the encrypted file, so that the integrity and the non-repudiation of the file are ensured.

However, as the domestic autonomous controllable cryptographic technology is more and more widely applied, the core passwords, common passwords and application interfaces of commercial cryptographic modules of different manufacturers are more and more diversified, so that the suitability and the verifiability of the cryptographic application are increased.

Disclosure of Invention

The application provides a transparent encryption and decryption method and device for a universal encryption card, which can improve the adaptation speed of the encryption card, more quickly and efficiently butt-joint the encryption modules of different manufacturers, and enhance the security of transparent encryption and decryption.

The first aspect of the embodiment of the application provides a transparent encryption and decryption method of a universal encryption card, which comprises the following steps:

creating an encryption card module plug-in frame, and packaging different encryption card modules according to the application interface specification of the password equipment to obtain a dynamic link library file;

injecting the dynamic link library file into a target process by using an Api Hook technology so as to intercept IO operation of the confidential file in the target process;

after intercepting IO operation of the confidential file, calling the framework of the encryption card plug-in unit, and binding a corresponding encryption card module to encrypt and decrypt the confidential file according to the encryption card identifier stored in the confidential header of the confidential file.

Optionally, the above-mentioned encryption card module plug-in framework includes an equipment layer, an access layer and an application layer;

the equipment layer comprises a plurality of encryption card modules, and any encryption card module is provided with a unique encryption card identifier;

the access layer is used for shielding the difference of various encryption card modules and providing a unified calling interface for the application layer so as to manage the accessed encryption card modules and realize the unified calling of the encryption card modules;

the application layer is used for providing required file encryption and decryption management class and memory encryption and decryption management class for transparent encryption and decryption of the secret-related files so as to output plaintext or ciphertext.

Optionally, the method further comprises:

hooking the creation, opening and closing of the confidential file;

establishing a mapping relation between the file handle and the file path of the confidential file to establish a corresponding file control block; the file handle is used for identifying the opened confidential file;

binding the corresponding encryption card module according to the encryption card identifier stored in the ciphertext header of the confidential file to encrypt and decrypt the confidential file, including:

and reading the encryption card identifier stored in the ciphertext header of the confidential file from the file control block, matching a corresponding encryption card module in the encryption card module plug-in frame according to the encryption card identifier, and binding a file encryption and decryption management class and a memory encryption and decryption management class of the encryption card module so as to encrypt and decrypt the confidential file.

Optionally, the IO operation on the confidential file includes a file mapping mode and a file reading and writing mode;

the file mapping mode comprises the steps of opening, creating and closing the confidential file, and opening, creating and closing a file view, mapping the view and canceling the mapping; the file view is a virtual address space part used by the target process to access the content of the confidential file;

the file read-write mode refers to modifying the length information of the confidential file according to the file control block inquiry and the file size setting, and the file read-write mode comprises a synchronous read-write mode and an asynchronous read-write mode.

Optionally, when the target process opens the secret-related file in the file mapping manner, binding the corresponding encryption card module to encrypt and decrypt the secret-related file according to the encryption card identifier stored in the ciphertext header of the secret-related file, including:

triggering the file control block to detect whether the confidential file needs to be decrypted or not, and reading an encryption card identifier stored in a ciphertext header of the confidential file under the condition that the confidential file needs to be decrypted;

and calling a corresponding encryption card module according to the encryption card identification to decrypt the secret-related file to obtain a plaintext memory which is mapped into a virtual address space of the target process, so as to realize file content viewing.

Optionally, when the target process closes the secret-related file in the file mapping manner, binding a corresponding encryption card module to encrypt and decrypt the secret-related file according to an encryption card identifier stored in a ciphertext header of the secret-related file, including:

canceling file mapping and triggering the file control block to detect whether the confidential file needs to be encrypted or not, and reading an encryption card identifier stored in a confidential header of the confidential file under the condition that the confidential file needs to be encrypted;

and calling a corresponding encryption card module according to the encryption card identifier, encrypting the secret-related file by using the public key of the opposite end, and storing the obtained secret stream in a disk.

Optionally, when the file read-write mode is a synchronous read-write mode, binding the corresponding encryption card module to encrypt and decrypt the confidential file according to the encryption card identifier stored in the confidential header of the confidential file, including:

when the confidential file is read, the confidential file is decrypted by utilizing the corresponding encryption card module, so that plaintext data is obtained and read;

when writing the secret-related file, calling a corresponding encryption card module, encrypting the plaintext data by using an opposite-end public key, and obtaining a ciphertext stream and storing the ciphertext stream in a disk.

Optionally, when the file read-write mode is an asynchronous read-write mode, binding the corresponding encryption card module to decrypt the confidential file according to the encryption card identifier stored in the confidential header of the confidential file, including:

when the confidential file is read, memory is allocated for the confidential file and is transmitted to an access layer of the encryption card plug-in frame for reading data;

when the I/O completion callback is eliminated, intercepting completion port operation and read data operation, and decrypting the data by using the bound file encryption and decryption management class and memory encryption and decryption management class;

copying the decrypted data into the distributed memory, modifying the data length, and releasing the internal distributed memory space.

Optionally, when the file read-write mode is an asynchronous read-write mode, binding the corresponding encryption card module to encrypt the confidential file according to the encryption card identifier stored in the confidential header of the confidential file, including:

when writing the secret-related file, memory is allocated for the secret-related file;

encrypting the data by using the bound file encryption and decryption management class and the memory encryption and decryption management class, and writing the encrypted data into the allocated memory;

and when the I/O completion callback is eliminated, releasing the internal allocated memory space.

A second aspect of the embodiment of the present application provides a transparent encryption and decryption device for a universal encryption card, where the device includes:

the system comprises a process injection module, a file IOhook module, an encryption card module plug-in frame and a user interaction module;

the process injection module is used for injecting the file IOhook module into a target process;

the file IOhook module is used for intercepting IO operation of the confidential file, calling the encryption card plug-in frame and binding the corresponding encryption card module to encrypt and decrypt the confidential file according to the encryption card identifier stored in the confidential header of the confidential file;

the encryption card module plug-in frame is used for managing the accessed encryption card module and realizing unified call of the encryption card module;

and the user interaction module is used for realizing end-to-end file encryption and decryption.

Compared with the prior art, the application has the following advantages:

the embodiment of the application provides a transparent encryption and decryption method and a transparent encryption and decryption device for a universal encryption card. Meanwhile, IO operation on the confidential file in the target process is intercepted by the Api Hook technology, the framework of the encryption card plug-in unit is called, and the corresponding encryption card module is bound to encrypt and decrypt the confidential file according to the encryption card identifier stored in the confidential header of the confidential file, so that transparent encryption and decryption operation of the file is realized. According to the application, on one hand, the inserted cipher card equipment is managed through the cipher card module plug-in frame so as to uniformly call the cipher card used in the enterprise, thereby reducing repeated adaptation and verification work of the cipher card, and being capable of interfacing cipher modules of different manufacturers more quickly and efficiently. On the other hand, the encryption card is used for providing encryption and decryption capability in the transparent encryption and decryption function, so that an upper application program cannot perceive the existence of encryption, and the user identity is identified through a signature verification mechanism, so that the confidentiality and the integrity of the file are ensured. Compared with a soft algorithm, the encryption method has higher security and higher encryption and decryption speed.

Drawings

FIG. 1 is a flow chart of a transparent encryption and decryption method for a universal encryption card according to an embodiment of the present application;

FIG. 2 is a schematic diagram of a card module plug-in frame according to an embodiment of the present application;

FIG. 3 is a flow chart illustrating an IOhook for a file according to an embodiment of the application;

FIG. 4 is a schematic diagram of a transparent encryption/decryption architecture according to an embodiment of the present application;

FIG. 5 is a schematic diagram illustrating an application of a transparent encryption/decryption method for a universal encryption card according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of a transparent encryption and decryption device for a universal encryption card according to an embodiment of the present application.

Reference numerals: 1. a process injection module; 2. a file IOhook module; 3. an encryption card module plug-in frame; 4. and a user interaction module.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

In order to ensure the security of confidential electronic files in enterprises, trusted encryption technology and hardware security equipment are required to encrypt and decrypt the confidential files, such as encryption cards and transparent encryption and decryption technology. The technology can effectively protect sensitive data in enterprises, prevent security threats such as hacking, data leakage and the like, and protect business confidentiality and intellectual property of the enterprises. The transparent encryption and decryption technology of the file by using the encryption card can realize transparent encryption and decryption operation of the file, so that an upper application program cannot perceive the existence of encryption, and meanwhile, confidentiality and integrity of the file are ensured. The transparent refers to the real-time, forced and transparent encryption and decryption of the files of the specified type by adopting a transparent encryption and decryption technology under the condition of not changing the use habit of a user, the file format of a computer and an application program. When the computer is normally used, files in the computer memory are stored in a protected plaintext form, but data stored on a hard disk are in an encrypted state, if the legal use identity, the access right and the correct safety channel are not available, all the encrypted files are stored in a ciphertext state, and all the data obtained through illegal ways are expressed in a ciphertext form.

In practical application, proper encryption cards and cryptography algorithms are required to be selected according to specific scenes, and safety measures are taken to ensure safety and reliability. For example, security management and initialization are required for the encryption card, a proper key generation and management scheme is selected, and security measures such as physical isolation, anti-cracking technology and the like are adopted to ensure that the key in the encryption card cannot be illegally acquired or stolen. Meanwhile, the integrity check and the digital signature are required to be carried out on the encrypted file, so that the integrity and the non-repudiation of the file are ensured.

However, as the domestic autonomous controllable cryptographic technology is more and more widely applied, the core passwords, common passwords and application interfaces of commercial cryptographic modules of different manufacturers are more and more diversified, so that the suitability and the verifiability of the cryptographic application are increased.

In view of this, in order to shield the difference of cryptographic devices, unify the cryptographic call interface, reduce the cryptographic application threshold, improve the cryptographic ubiquitous level, based on the GM/T0018-2012 cryptographic device application interface specification, an encryption card interface plug-in frame is designed, and the plug-in frame is used to manage the accessed cryptographic card device, so as to unify the cryptographic card used in the enterprise, thereby reducing a large number of repeated adaptation and verification works, and interfacing the cryptographic modules of different manufacturers more quickly and efficiently. In addition, by combining with the Api Hook technology, the terminal user intercepts the operation of the file stream, and the transparent encryption and decryption operation of the file is realized by calling the encryption card interface plug-in frame and using the corresponding password card to encrypt and decrypt the file stream.

Referring to fig. 1, fig. 1 is a flowchart of a transparent encryption and decryption method for a universal encryption card according to an embodiment of the application. As shown in fig. 1, the method comprises the steps of:

step S101: and creating an encryption card module plug-in frame, and packaging different encryption card modules according to the application interface specification of the password equipment to obtain a dynamic link library file.

In this embodiment, the inventor designs the plug-in frame of the encryption card module based on the GM/T0018-2012 encryption device application interface specification on the basis of the transparent encryption and decryption application of the file by analyzing the application interface of the encryption device and the logic structure based on the international public key encryption interface. The method and the device have the advantages that the device management, the key management, the password operation and other parts of the encryption cards of different types are subjected to abstract packaging at the access layer, and a unified interface is provided for the application layer, so that the corresponding encryption card modules only need to be packaged according to the frame at the access layer, repeated adaptation and verification work of the encryption cards are reduced, and the password modules of different manufacturers are more quickly and efficiently docked.

Specifically, the plug-in framework of the encryption card module comprises a device layer, an access layer and an application layer. The equipment layer comprises a plurality of encryption card modules, wherein any encryption card module is provided with a unique encryption card identifier; the access layer is used for shielding the difference of various encryption card modules and providing a unified calling interface for the application layer so as to manage the accessed encryption card modules and realize the unified calling of the encryption card modules; the application layer is used for providing required file encryption and decryption management class and memory encryption and decryption management class for transparent encryption and decryption of the secret-related files so as to output plaintext or ciphertext.

As shown in fig. 2, the bottom device layer mainly interfaces with the encryption card device, and includes multiple cryptographs, namely encryption card modules, where any encryption card module has a unique encryption card identifier, so as to match the device identifier of the corresponding access layer, and determine the corresponding file encryption/decryption and memory encryption/decryption modes. The access layer mainly comprises three parts, namely equipment management, key management and password operation, and the various passwords, such as a core password, a common password, a commercial password and the like, are integrated in an encryption card module plug-in frame by carrying out abstract packaging on the parts, such as the equipment management, the key management, the password operation and the like, of various encryption cards so as to shield the difference of the password equipment, unify the password call interface, reduce the password application threshold and improve the password ubiquitous level. The upper application layer is mainly connected with the PC client of the software system and is used for providing required file encryption and decryption management classes and memory encryption and decryption management classes for transparent encryption and decryption of secret-related files, wherein the file encryption and decryption management classes comprise a symmetric encryption and decryption algorithm, an asymmetric encryption and decryption algorithm, a signature verification mechanism, a file hash algorithm and the like. After the C++ program is packaged into a dynamic link library file (DLL file) and is installed into a target program, the transparent encryption and decryption functions of the file can be correspondingly realized through the DLL interface function defined by us so as to output plaintext or ciphertext.

The inserted cipher card equipment is managed through the cipher card module plug-in frame so as to carry out unified call on the cipher card used in enterprises, thereby improving the adaptation speed of the cipher card.

Step S102: and injecting the dynamic link library file into a target process by using an Api Hook technology so as to intercept IO operation of the confidential file in the target process.

In this embodiment, hook is a system mechanism provided in the Windows system to replace "interrupts" under DOS (disk operating system ), referred to as "hooks" or "hooks". After a Hook is performed on a particular system event, once the Hook event occurs, the program that performed the Hook on the event will receive a notification from the system, and the program will then be able to respond to the event at the first time. On this basis, the Api Hook technology is a technology for changing the execution result of an Api, which can be understood as hooking an Api function, and after the Api function is injected into a target program, it can intercept and control the call of some Api functions. That is, the API hook may implement functions that intercept calls in the target program, as well as replace or modify the functions that call the functions.

In this embodiment, the target processes are mainly document processes, including processes of notebooks, office, wps documents, forms, presentations, and the like. When the method is specifically applied, the encapsulated dynamic link library file can be injected into a target process through a remote injection technology, and the target process is used as a precondition for realizing transparent encryption and decryption subsequently. When it is detected that a user calls a related API function in a target process to perform related IO operation on the confidential document, for example, a file is created, the file is opened, the file is closed, and the like, the API function is intercepted, so that the target program executes a code program which is packaged in the dynamic link library in advance, the plug-in frame of the encryption card module is called, and the corresponding encryption card module is utilized to perform encryption and decryption operation on the confidential document in the operation, thereby realizing transparent encryption and decryption on the confidential document. That is, after the Hook API, the flow of actually executing the API function becomes, which replaces the original API function by constructing the encapsulated code in advance.

Step S103: after intercepting IO operation of the confidential file, calling the framework of the encryption card plug-in unit, and binding a corresponding encryption card module to encrypt and decrypt the confidential file according to the encryption card identifier stored in the confidential header of the confidential file.

In one possible embodiment, the process essentially comprises: hooking the creation, opening and closing of the confidential file; establishing a mapping relation between the file handle and the file path of the confidential file to establish a corresponding file control block; the file handle is used for identifying the opened confidential file. Further, the binding the corresponding encryption card module according to the encryption card identifier stored in the ciphertext header of the confidential file performs encryption and decryption operations on the confidential file, and mainly includes: and reading the encryption card identifier stored in the ciphertext header of the confidential file from the file control block, matching a corresponding encryption card module in the encryption card module plug-in frame according to the encryption card identifier, and binding a file encryption and decryption management class and a memory encryption and decryption management class of the encryption card module so as to encrypt and decrypt the confidential file.

In this embodiment, the IO operations on the secret related file may include creating a file, opening a file, closing a file, and the like, so as to intercept the secret related file by hooking an API function used when executing the IO operations. And mapping management is carried out on the confidential files through the corresponding file handles and the file paths, so that corresponding file control blocks are established. The file handle is mainly used for identifying the opened confidential files, and each opened confidential file is provided with a unique file handle. In actual operation, referring to fig. 3, the relevant information of the current confidential file can be read according to the file control block, including the encrypted card identifier, the file handle and the storage path of the file stored in the ciphertext header of the confidential file. And then, calling the plug-in framework of the encryption card module, matching the corresponding encryption card module at the access layer according to the read encryption card identification, binding a file encryption and decryption management class and a memory encryption and decryption management class corresponding to the encryption card module at the application layer, and carrying out encryption and decryption operation on the secret related file by utilizing a corresponding algorithm to output plaintext to realize file content viewing or output ciphertext to be stored in a magnetic disk. That is, different data are encrypted and decrypted by adopting different keys in an end-to-end mode (which can be understood as a 'one-text-one-secret' mode), and the key encryption key of the opposite end is used for protection, so that sensitive files and data of a terminal user are protected, and finally transparent encryption and decryption operations on the files are realized through an encryption card.

According to the application, the Hook module is injected into the target process, when the terminal user opens or stores the confidential electronic document, the operation of the file stream is intercepted, the encryption and decryption engine in the plug-in frame of the encryption card module is called, and the encryption and decryption processing is carried out on the file stream by using the encryption card, so that the transparent encryption and decryption operation of the file is realized, and the upper application program cannot perceive the existence of encryption and decryption. Meanwhile, the identity of the user is identified in the application layer of the plug-in frame of the encryption card module through a signature verification mechanism, so that confidentiality and integrity of the file are ensured. In terms of security, hardware encryption is further performed through the encryption card on the basis of a soft algorithm, so that the difficulty of decrypting the cipher key is higher, and the security is higher. Meanwhile, the encryption card is used for providing encryption and decryption capability, so that the processing resources of the computer are not occupied like a soft algorithm, and the encryption and decryption speed is higher. In addition, the designed plug-in frame of the encryption card module can shield the difference of the bottom password equipment and provide a unified calling interface for the password application layer, so that the adaptation cost of the encryption card can be saved, and the adaptation speed of the encryption card in the transparent encryption and decryption application process can be effectively improved.

Referring to fig. 5, fig. 5 is an application schematic diagram of a transparent encryption and decryption method for a universal encryption card according to an embodiment of the application. Two IO modes (file mapping and file reading and writing) of the NTDLL layer are mainly intercepted.

Optionally, the file mapping mode includes opening, creating, closing the confidential file, and opening, creating, closing, mapping view and unmapping the file view; the file view is a virtual address space portion used by the target process to access the contents of the ciphertext. It is also understood that the file content is mapped into a contiguous segment of memory area, which is referred to as a view of the mapped file. Through the file view, the data in the memory area can be directly read or written, and meanwhile, the operations are automatically synchronized into the file, so that the reading and writing operations of the file are realized. The file read-write mode refers to modifying the length information of the confidential file according to the file control block inquiry and the file size setting, and the file read-write mode comprises a synchronous read-write mode and an asynchronous read-write mode.

In practical application, a Hook module is injected into a target process in advance, and when a terminal user opens a confidential file through the target process, relevant information of the current confidential file, such as a file handle, a storage path of the file and the like, is read according to a file control block.

Specifically, if the confidential file is opened in the file mapping mode, the file control block is triggered to detect whether the confidential file needs to be decrypted, and under the condition that the confidential file needs to be decrypted, the encrypted card identifier stored in the confidential header of the confidential file is read. And then, according to the encryption card identification, a corresponding encryption card module is called to decrypt the encrypted file, so that a plaintext memory is mapped into a virtual address space of the target process, and file content viewing is realized. When writing in the file content for storage, if the file content is stored in a file mapping mode, the file mapping is required to be canceled first, a file control block is triggered to detect whether the confidential file needs to be encrypted, and under the condition that the confidential file needs to be encrypted, the encrypted card identifier stored in the ciphertext header of the confidential file is read. And then, calling a corresponding encryption card module according to the encryption card identification, encrypting the secret related file by using the public key of the opposite terminal, and storing the obtained secret stream in a disk.

Referring to fig. 4, when a confidential file is opened by a target process, a plurality of file handle objects (besides the opened file itself, some dynamic files, configuration files, etc. of the target process) appear, and the file handles correspond to a file control block. That is, as shown in fig. 4, one file control block manages N file handle objects, a memory map object, and one system view, and there is a pair of N relationships between the system view and the user view. Wherein the system view represents a first created view, detected by a map view operation; the user view represents the view created later on through the mapping. When encryption and decryption are carried out, the memory encryption and decryption management and the file control block are combined to carry out the processing of the password card access layer of the password card module plug-in frame.

If the file operation is performed in a file read-write mode, the file operation comprises a synchronous read-write mode and an asynchronous read-write mode. Synchronous means that the target program directly participates in IO read-write operation, asynchronous means that all IO read-write operations are handed to an operating system for processing, and the target program only needs to wait for notification. Under the condition of synchronous read-write mode, when the confidential file is read, the confidential file is decrypted by utilizing the corresponding encryption card module, and the plaintext data is obtained and read; when writing the secret-related file, the corresponding encryption card module is called, the public key of the opposite end is utilized to encrypt the plaintext data, the ciphertext stream is obtained and stored in the disk, and synchronous reading and writing of the secret-related file are completed. Under the asynchronous read-write mode, when the confidential file is read, memory is firstly allocated for the confidential file and is transferred to an access layer of the encryption card plug-in frame to read data. And when the I/O completion callback is eliminated, intercepting completion port operation and read data operation, and decrypting the data by using the binding file encryption and decryption management class and the memory encryption and decryption management class. And copying the decrypted data into the distributed memory, modifying the data length, and releasing the internal distributed memory space. When writing the secret-related file, firstly, memory is allocated for the secret-related file, and after the data is encrypted by using the bound file encryption and decryption management class and the memory encryption and decryption management class, the data is written into the allocated memory. And when the I/O completion callback is eliminated, releasing the internal allocated memory space to complete asynchronous reading and writing of the confidential file.

When a terminal user opens or stores the confidential electronic document, the operation of the file stream is intercepted, an encryption and decryption engine in the plug-in frame of the encryption card module is called, and the encryption and decryption processing is carried out on the file stream by using the encryption card, so that the transparent encryption and decryption operation of the file is realized, and the existence of encryption and decryption cannot be perceived by an upper application program.

Based on the same inventive concept, an embodiment of the application provides a transparent encryption and decryption device of a universal encryption card. Referring to fig. 6, fig. 6 is a schematic structural diagram of a transparent encryption and decryption device for a universal encryption card according to an embodiment of the present application, including:

the system comprises a process injection module 1, a file IOhook module 2, an encryption card module plug-in frame 3 and a user interaction module 4;

the process injection module 1 is used for injecting the file IOhook module into a target process;

the file IOhook module 2 is used for intercepting IO operation of the confidential file, calling the encryption card plug-in frame, and binding the corresponding encryption card module to encrypt and decrypt the confidential file according to the encryption card identifier stored in the confidential header of the confidential file;

the encryption card module plug-in frame 3 is used for managing the accessed encryption card module and realizing the unified call of the encryption card module;

and the user interaction module 4 is used for realizing end-to-end file encryption and decryption.

Optionally, the apparatus further includes:

the hooking module is used for hooking the creation, opening and closing of the confidential file;

the mapping module is used for establishing a mapping relation between the file handle of the confidential file and the file path so as to establish a corresponding file control block; the file handle is used for identifying the opened confidential file;

the file IOHook module 2 is specifically configured to:

and reading the encryption card identifier stored in the ciphertext header of the confidential file from the file control block, matching a corresponding encryption card module in the encryption card module plug-in frame according to the encryption card identifier, and binding a file encryption and decryption management class and a memory encryption and decryption management class of the encryption card module so as to encrypt and decrypt the confidential file.

For system embodiments, the description is relatively simple as it is substantially similar to method embodiments, and reference is made to the description of method embodiments for relevant points.

In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.

It will be apparent to those skilled in the art that embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the application may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the scope of the embodiments of the application.

Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or terminal device comprising the element.

The transparent encryption and decryption method and device for the universal encryption card provided by the application are described in detail, and specific examples are applied to illustrate the principle and the implementation mode of the application, and the description of the above examples is only used for helping to understand the method and the core idea of the application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims (10)

1. A transparent encryption and decryption method for a universal encryption card, the method comprising:

creating an encryption card module plug-in frame, and packaging different encryption card modules according to the application interface specification of the password equipment to obtain a dynamic link library file;

injecting the dynamic link library file into a target process by using an Api Hook technology so as to intercept IO operation of the confidential file in the target process;

after intercepting IO operation of the secret-related file, calling the encryption card plug-in frame, and binding a corresponding encryption card module to encrypt and decrypt the secret-related file according to the encryption card identifier stored in the secret header of the secret-related file.

2. The method of claim 1, wherein the cryptographic card module plug-in framework comprises a device layer, an access layer, and an application layer;

the equipment layer comprises a plurality of encryption card modules, and any encryption card module is provided with a unique encryption card identifier;

the access layer is used for shielding the difference of a plurality of encryption card modules and providing a unified calling interface for the application layer so as to manage the accessed encryption card modules and realize the unified calling of the encryption card modules;

the application layer is used for providing required file encryption and decryption management class and memory encryption and decryption management class for transparent encryption and decryption of the secret-related file so as to output plaintext or ciphertext.

3. The method as recited in claim 1, further comprising:

hooking the creation, opening and closing of the confidential file;

establishing a mapping relation between the file handle and the file path of the confidential file to establish a corresponding file control block; the file handle is used for identifying the confidential file which is opened;

binding the corresponding encryption card module to encrypt and decrypt the secret-related file according to the encryption card identifier stored in the secret header of the secret-related file, including:

and reading the encryption card identifier stored in the ciphertext header of the confidential file from the file control block, matching a corresponding encryption card module in the encryption card module plug-in frame according to the encryption card identifier, and binding a file encryption and decryption management class and a memory encryption and decryption management class of the encryption card module so as to encrypt and decrypt the confidential file.

4. A method according to claim 3, wherein the IO operation on the confidential document includes a document mapping manner and a document reading/writing manner;

the file mapping mode comprises opening, creating and closing of the confidential file, and opening, creating and closing of a file view, mapping of the file view and unmapping of the file view; the file view is a virtual address space part used by the target process to access the content of the confidential file;

the file read-write mode refers to correcting the length information of the confidential file according to the file size inquired and set by the file control block, and the file read-write mode comprises a synchronous read-write mode and an asynchronous read-write mode.

5. The method of claim 4, wherein when the target process opens the secret-related file in the file mapping manner, binding the corresponding encryption card module to encrypt and decrypt the secret-related file according to the encryption card identifier stored in the secret header of the secret-related file, including:

triggering the file control block to detect whether the confidential file needs to be decrypted or not, and reading an encryption card identifier stored in a confidential header of the confidential file under the condition that the confidential file needs to be decrypted;

and calling a corresponding encryption card module according to the encryption card identification to decrypt the secret-related file to obtain a plaintext memory mapped to a virtual address space of the target process, so as to realize file content viewing.

6. The method of claim 4, wherein when the target process closes the secret-related file in the file mapping manner, binding the corresponding encryption card module to encrypt and decrypt the secret-related file according to the encryption card identifier stored in the secret header of the secret-related file, including:

canceling file mapping and triggering the file control block to detect whether the confidential file needs to be encrypted or not, and reading an encryption card identifier stored in a confidential header of the confidential file under the condition that the confidential file needs to be encrypted;

and calling a corresponding encryption card module according to the encryption card identifier, encrypting the secret-related file by using the public key of the opposite end, and storing the obtained secret stream in a disk.

7. The method according to claim 4, wherein binding the corresponding encryption card module to encrypt and decrypt the secret-related file according to the encryption card identifier stored in the secret header of the secret-related file when the file read-write mode is the synchronous read-write mode, comprises:

when the secret-related file is read, the secret-related file is decrypted by utilizing the corresponding encryption card module, so that plaintext data is obtained and read;

when writing the secret-related file, calling a corresponding encryption card module, encrypting the plaintext data by using an opposite-end public key, and obtaining a ciphertext stream and storing the ciphertext stream in a magnetic disk.

8. The method according to claim 4, wherein, in the case that the file read-write mode is an asynchronous read-write mode, binding the corresponding encryption card module to decrypt the secret-related file according to the encryption card identifier stored in the secret header of the secret-related file includes:

when the secret-related file is read, memory is allocated for the secret-related file and transmitted to an access layer of the encryption card plug-in frame for reading data;

when the I/O completion callback is eliminated, intercepting completion port operation and read data operation, and decrypting the data by using the bound file encryption and decryption management class and memory encryption and decryption management class;

copying the decrypted data into the distributed memory, modifying the data length, and releasing the internal distributed memory space.

9. The method according to claim 4, wherein, in the case that the file read-write mode is an asynchronous read-write mode, binding the corresponding encryption card module to encrypt the secret-related file according to the encryption card identifier stored in the secret header of the secret-related file includes:

when writing the secret-related file, memory is allocated for the secret-related file;

encrypting the data by using the bound file encryption and decryption management class and the memory encryption and decryption management class, and writing the encrypted data into the allocated memory;

and when the I/O completion callback is eliminated, releasing the internal allocated memory space.

10. A transparent encryption and decryption device for a universal encryption card, the device comprising: the system comprises a process injection module, a file IOhook module, an encryption card module plug-in frame and a user interaction module;

the process injection module is used for injecting the file IOhook module into a target process;

the file IOhook module is used for intercepting IO operation of the secret-related file, calling the encryption card plug-in frame and binding the corresponding encryption card module to encrypt and decrypt the secret-related file according to the encryption card identifier stored in the secret header of the secret-related file;

the encryption card module plug-in frame is used for managing the accessed encryption card module and realizing unified call of the encryption card module;

and the user interaction module is used for realizing end-to-end file encryption and decryption.